May 24, 2018

The mobile app, TeenSafe, bills itself as a “secure” monitoring app
for iOS and Android, which lets parents view their child’s text
messages and location, monitor who they’re calling and when, access
their web browsing history, and find out which apps they have
installed.[…]

But the Los Angeles, Calif.-based company left its servers, hosted on
Amazon’s cloud, unprotected and accessible by anyone without a
password. […]

The database stores the parent’s email address associated with
TeenSafe, as well as their corresponding child’s Apple ID email
address. It also includes the child’s device name — which is often
just their name — and their device’s unique identifier. The data
contains the plaintext passwords for the child’s Apple ID. Because the
app requires that two-factor authentication is turned off, a malicious
actor viewing this data only needs to use the credentials to break
into the child’s account to access their personal content data.

As was noted by John Gruber over at Daring Fireball, it seems like the app extracts it’s data from a device’s iCloud backups, which is why they require two-factor authentication turned off. Setting aside the discussion about whether an application / service like this is actually useful / necessary, if a company is going to ask you to trust them with your child’s personal information, I would hope they’d do better than storing the information in plaintext on a server without a password.